Companies can no longer afford not to invest in protecting their data—and simplified solutions will drive better user behaviour, writes Eric McGee

Organisations often view security as a grudge purchase, resulting in them not adequately protecting their data assets. This, coupled with complex or multiple solutions that frustrate employees, often lead to security being compromised putting the company at risk. While in South Africa there is a lack of policy-driven consequence, companies will have to take more responsibility for their data and invest in increased security as risks continue to grow in the wake of the Internet of Things (IoT) and pervasive connectivity.

The value associated with these security solutions is intangible and, because leaders don’t necessarily understand the value of the information, they don’t always understand the risks that surround it. Compare this to millennials or digital natives and the picture changes significantly. These millennials are attaching a monetary value to things in a virtual world for example in gaming and they therefore have a much better understanding of the value information provides.

The world has become a much more connected place than it has ever been before and the sophistication of online technologies has grown over the years, creating more of a cyber security threat. More and more organisations are being hacked daily and it is no longer about ‘if’ you will be hacked but rather ‘when’ you will be hacked. If leaders within organisations are not conscious of current and future cyber security threats, they are putting themselves and their customers at risk.

Although South African companies are investing in security, there still is a lack of understanding of what they are trying to achieve, which makes them feel like they are wasting money. People in general, not only in leadership, are willing to spend money on physical security items such as alarm systems, gates and beams. If they don’t, tangible assets will be stolen. Unfortunately, in the virtual world it is not that tangible.

Physical risks are mitigated by investing in security measures and the same goes for cyber security, where investment in encryption, anti-virus software, firewalls, to name a few, will reduce your exposure to risk. It is important for leadership to take charge and include employee education as part of their security strategy. Employees need to be educated on being responsible online, and to understand the risk and impact of their online behaviour and why they have to adhere to the company’s security policies.

An example that most organisations are aware of is the recent Panama breach incident, which will hopefully encourage a change in behaviour when it comes to cyber security. Another example is that of the Target breach in 2013, where the company failed to respond to its own data security breach alert. Something simple, that could have been prevented, instead resulted in 90 lawsuits from customers whose personal information was made public.

South Africa continues to lag behind the likes of Europe and the United States, where there are far more policies in place to protect personal information. Here, there isn’t that deep-rooted understanding of the responsibility for the protection of data. It is important that organisations come to terms with the fact that security and protection of their customers’ data and identities are their responsibility, even if there are limited policy-driven consequences.

Furthermore, millennials entering the workforce have very specific expectations when it comes to security and the virtual world, and will expect their employers to ensure they are protected.

Finally, the notion that security is an IT issue, needs to be dispelled. Information assets belong to the organisation as a whole and therefore the organisation needs to take responsibility as a collective to secure these.